signed packages documentation

To: tech-pkg%netbsd.org@localhost
Subject: signed packages documentation
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Thu, 23 Jul 2020 11:36:38 -0400

I build (small, with non-default options) package sets for two arches
for my own use, and I am thinking about what it would take to sign and
verify these.  Plus I'm asking for a friend :-)

Looking at the pkg_foo docs, even as someone who understands the
underlying issues and software, I have a lot of questions.

This is really a request for that mythical someone to improve the docs,
rather than just tell me answers.  My overall read is that all the
pieces are there, but it's not explained well enough to just get it
right from the docs.

specific quesions/comments

  # signing

  pkg_create does not say anything about signed packages.  Most of the
  following probably should be addressed in pkg_create(1).

  pkg_install.conf mentions "GPG_SIGN_AS" as a config variable.  It
  doesn't speak to where the key is, or what program is used to sign.
  We have netpgp in NetBSD base, and there is gpg 1 and 2 in pkgsrc.

  There is no explanation of whether or not one can create a package,
  and sign it later, or if this can be done only at creation time.

  There is no real explanation of how to come up with a keypair and how
  to produce the bits needed for validation.  (Only needs to be
  understanable by people that have used openpgp and basically
  understand, in my view.)

  Assuming gpg is used, it is not clear whether gpg is available to
  pkg_create when creation is done within the context of pbulk.

  Building packages and signing them as an automated process seems to
  require a key without a passphrase or gpg-agent.  This isn't explained
  at all.  It seems obvious that gpg-agent is preferred to a key without
  a passphrase.

  There is some notion of certificate chains, and it is not clear if
  there is any provision for including these in a signed package,
  similar to have pkix sends a cert chain for TLS.

  # validating

  pkg_add has the barest of references to configuring the use of
  signatures in pkg_install.conf.  Perhaps this is ok.

  CERTIFICATE_ANCHOR_PKGS is said to be for PEM-encoded "certificates".
  This smells like X.509/pkix, but I think it's OpenPGP.  But OpenPGP
  tends to talk about keys with signatures, even though I realize that
  is the same thing.

  The entire notion of "certificate chain" is confusing.  With pkix,
  there are clear validation rules.  With OpenPGP, it's very hazy to me.
  Does this mean "certificate that GnuPG will trust based on its
  configuration"?  With compiled-in defaults?  Something else?  This
  really starts to feel like authorization as any validated cert will be
  trusted to vouch for packages, which is blurring the usual PKI lines.

  The CERTIFICATE_CHAIN file seems not to be a chain per se but
  basically a bunch of keys that can be used to search for a certification
  path.  That's ok, but it should probably be bit more clearly stated
  because a reader might expect that things are really like pkix.

  The variable GPG is said to be for pkg-vulnerabilities, but there is
  no mention of whether that is used for checking signed packages, and
  if not what is.


Thanks,
Greg

Follow-Ups:
- Re: signed packages documentation
  - From: Joerg Sonnenberger

Prev by Date: daily pkgsrc CVS update output
Next by Date: Re: signed packages documentation
Previous by Thread: [patch] security/openssl: Make compatible with Apple Silicon
Next by Thread: Re: signed packages documentation
Indexes:

Home | Main Index | Thread Index | Old Index